The US Cybersecurity and Infrastructure Security Agency (CISA) is warning about multiple ongoing supply chain attacks and is urging developers and open-source platform users to apply mitigations and secure their environments.
In a news alert published earlier this week, the agency warned about attacks on GitHub repos via a malicious Nx Console Visual Studio Code (VSCode) extension, as well as the Megalodon supply chain campaign. It said these attacks show “how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments – specifically CI/CD pipelines, code extensions, and workflows.”
By abusing an earlier compromise of Nx developer systems, threat actors were able to compromise a GitHub employee’s device through a poisoned third-party VSCode extension, accessing their repositories and stealing sensitive information found within.
CISA’s advice
In Megalodon, hackers injected malicious GitHub Action workflows to steal CI/CD secrets, cloud credentials, and tokens, CISA said.
With that in mind, it urged organizations to monitor and audit workflow files and contributor activity and revert any unauthorized changes.
Organizations that discover a breach from a previously compromised GitHub or Nx Console software should conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines, and rotate/revoke all secrets (that includes all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets).
For using package repositories, CISA recommends waiting at least three hours before pulling a new package, to give the community enough time to spot any suspicious or malicious commits. It also recommends pinning software to specific trusted versions and only pulling packages from known and trusted sources.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.